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Abstract 


In a previous paper [1], we defined both a unified formal framework 
based on L.-S. Barbosa’s components for modeling complex software 
systems, and a generic formalization of integration rules to combine 
their behavior. In the present paper, we propose to continue this 
work by proposing a variant of first-order fixed point modal logic to 
express both components and systems requirements. We establish 
the important property for this logic to be adequate with respect 
to bisimulation. We then study the conditions to be imposed to 
our logic (characterization of sub-families of formulse) to preserve 
properties along integration operators, and finally show correctness 
by construction results. The complexity of computing systems results 
in the definition of formal means to manage their size. To deal with 
this issue, we propose an abstraction (resp. simulation) of components 
by components. This enables us to build systems and check their 
correctness in an incremental way. 


Keywords: Component modeling, p-calculus, coalgebra, correct by 
construction, refinement /abstraction 


1 Introduction 


Systems Engineering (SE) is an interdisciplinary branch of engineering which 
is focused on how large industrial systems (i.e. complex systems) should be 
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designed, managed and maintained throughout their life cycle. Progressively 
emerged since the 50’s, SE is characterized by a number of concepts, methods 
and organizational/technical practices that the industry has developed to deal 
with the complexity of systems design (see [4, 9, 31, 38, 43] for further details). 
At the heart of SE is the notion of system which is generally described as a set 
of interconnected components which, in turns, are themselves (recursively) 
defined as systems, interacting one another to participate permanently to a 
common goal. In mathematical terms, a system is commonly defined with 
models coming from: 


e control theory and physics, that deal with systems as partial functions 
(dynamical systems may also be rewritten in this way), called transfer 
functions, of the form: 


Vie T, y(t) = F(z,4,t) 


where x, g and y are inputs, states and outputs data-flows, and where 
T stands for time (usually considered in these approaches as continuous 
- see [4, 12, 42]). 


e theoretical computer sciences and software engineering, with systems 
that can be depicted by models equivalent to different types of state- 
based machines, evolving on discrete times generally considered as a 
universal predefined sequence of steps, and whose coalgebras provide a 
general framework (see [23, 28, 37]). 


The formal characterization of SE is a fundamental aspect which is 
concerned with the formal method integration within the scope of SE, i.e. 
within the design cycle of a complex system. The formalization of SE entails 
two basic aspects: the development of modeling languages for rigorously 
specify a systems design and the development of formal techniques for the 
analysis of the modeled system. 

In a preceding paper [1], we introduced a formal abstract framework 
for modeling complex computing systems, which is based on Barbosa’s 
coalgebraic definition of components [6, 7, 32]. In that respect ({1]) a 
complex computing system consists of the interconnection of a number of 
components, which are recursively combined by means of two basic operators: 
the Cartesian product and the feedback operator (i.e. two standard operators 
in the theory of dynamic and physical systems). 

In [1], we restricted our formalisation to discrete (time) systems, i.e. 
systems for which time is considered as an order-isomorphic copy of natural 


A Logic for Complex Computing Systems: 
Properties Preservation Along Integration and Abstraction 3 


numbers. In [2] we extended such a discrete-time modelling approach, 
by proposing a novel formalism (based on deterministic Mealy automata), 
that, relying on results of non-standard analysis, allows one to consider 
homogeneously heterogeneous time scales (i.e. both continuous and discrete 
timing) for the modelled systems. 

By extending Rutten’s works [15] to Barbosa’s components, in [{1, 2] we then 
showed how causal transfer functions can be associated to system semantics 
allowing us to link with methods from control theory. 


In this paper, we propose to further extend the formalization of SE for 
(discrete-time) complex computing systems, by considering two additional, 
fundamental aspects: 


1. the possibility to express expected properties of a system, often called 
system requirements, that allow for formally analyzing the modeled 
system. This will be complementary to the approach followed in [1, 25] 
where a conformance testing theory had been defined to validate a 
system design. 


2. the possibility to describe system behavior at different abstraction levels. 
For that, we propose to give a formal meaning to a central concept 
in SE, ie. component abstraction. Such a concept can be seen as the 
inverse of refinement commonly used in software modeling [13, 20]. 


To fulfill the first aspect (system’s properties verification), it is necessary 
to consider a framework that on one hand allows us to formally express 
meaningful requirements addressing a system’s correctness, and on the 
other allows us to exhaustively check whether the considered system fulfills 
them. Since our modeling formalism is essentially based on the extension of 
Mealy automata with a monad T (i.e. thus allowing for capturing the most 
relevant computation structures including determinism, non-determinism 
and partiality [35]), it naturally follows that the language for stating system’s 
requirements should allow one to express temporal properties of a system 
with the ability to express constraints that relate the production of output 
values from input ones. 

Being mainly interested in this paper by theoretical results of behavior 
and property preservation, we propose to extend a logic that subsumes most 
of modal and temporal logics: the i-calculus [5, 11, 27]. More precisely, 
following our work in [3], we propose a variant of first-order fixed point 
modal logic [26, 44]. This extension to the first-order will allow us to export 
expected properties from components to systems, and thus allowing to study 
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their preservation along integration operators. 

The logic we introduce herein is then an adaptation to first-order of that 
presented in [10] to our components. Of course, this logic will probably be 
restricted to the propositional case when we are interested in future works 
in its computational aspects such as system synthesis [10] or the definition 
of model-checking algorithms. Here, being interested in showing how the 
truth of formule is preserved both by bisimulation and along integration 
and abstraction operators, the variant of first-order fixed point modal logic 
we propose is quite adequate. 


The interest for studying property preservation is twofold: with respect 
to the integration operators, properties preservation allows for establishing 
”correct-by-construction” proofs [19] (whatever is proved to hold at compo- 
nents level is guaranteed to hold on the system resulting by composition 
of components); with respect to the abstraction operator, the interest of 
property preservation is one of complexity gain: the analysis of a system 
behavior at a more abstract level of description (hence at a reduced model 
size) obviously enjoys a reduced complexity. 


Such preservation results, as we will show in the remainder, allow us to 
obtain an incremental design method which can be applied to development 
and validation of large and complex systems. 


Moreover, they will be established both independently of the type of inte- 
gration operator and for a large family of formulee which anyway contains 
all the interesting properties we can express on systems such as deadlock 
freedom, reachability, existence of finite and infinite paths, etc. 


The paper is structured as follows. Section 2 recalls the basic notions 
of monads the paper heavily relies upon. Section 3 recalls the formalism 
defined in [1], including the definition of Barbosa’s components and that of 
integration operators (for components composition) while also introducing 
the notion of bisimulation with respect to systems. Section 4 introduces the 
logic we will consider to refer to (so-formalized) systems. i.e. an adaptation of 
the p-calculus to the extension of Mealy automata with monads. The results 
at the core of the paper are illustrated in the last two sections. Section 5 
outlines the properties preservation results with respect to the integration 
operators (i.e. Cartesian product and feedback); Section 6 describes the 
formalization of the abstraction operator and outlines the corresponding 
results, i.e. showing that system correctness is preserved along this operator. 
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2 Preliminaries 


This paper relies on many terms and notations from the categorical theory 
of monads. We briefly introduce them here, but interested readers may refer 
to textbooks such as [8, 14] for further details. 

Monads [30] are a powerful abstraction for adding structure to objects. 
Given a category C, a monad consists of an endofunctor T': C + C equipped 
with two natural transformations 7: idc > T and pp: T? > T which satisfy 
the conditions yo Tn = ponT = ide and poTy = po pT: 


T 
ies a fi l= fi a a 7 
lu fC ; 
T T il T 


7 is called the unit of the monad. Its components map objects in C to 
their naturally structured counterpart. ~ is the product of the monad. Its 
components map objects with two levels of structure to objects with only 
one level of structure. The first condition states that a doubly structured 
object n7(x)(t) built by 7 from a structured object t is flattened by yu to the 
same structured object as a structured object T(x )(x) made of structured 
objects built by 7. The second condition states that flattening two levels 
of structure can be made either by flattening the outer (with w7/x)) or the 
inner (with T(j:x)) structure first. 

Let us consider a monad built on the powerset functor P : Set > 
Set. We use it to model non-deterministic state machines by replacing the 
target state of a transition by a set of possible states?. The component 
ns : S — P(S) of the unit of this monad has to build a set of states from a 
state. We can choose ng : s +> {s}. The component pus : P(P(S)) > P(S) 
of the product of the monad has to flatten a set of sets of states into a 
set of states. For a set of sets of states (S;), Vi,S; € P(S'), we can choose 
Ls: 15) ee Oise US. 

In computing science, and in particular in the area of functional pro- 
gramming, monads have been used to represent many computation situations 
such as partiality, side-effects, exceptions, etc. [35]. More recently they have 
also been employed in complex systems’ modeling where they have been 
used to obtain a more generic representation of components obtained by 
adding computation structures [6, 7, 32] to them. 


?Set is the category of sets. 
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3 Components and Systems 


We recall the basic definitions on components and their composition [1], and 
introduce both simulation and bisimulation notions. 


3.1 Component 


Definition 1 (Computation structure) A computation structure for 
component is a monad T : Set > Set together with two natural transfor- 
mations yn! :T => P and 1!-':P => T such that 7!~1 on! = id. 

A computation morphism o between two computation structures 
(Ti,nj,n,') and (To,,ny") is a natural transformation o : T; —> Tr 
such that ni, = noo andy, * =aont,'. 

Obviously, computation structures and computation morphisms form a cate- 
gory. 


In the following, we will denote any computation structure (7, 7',7/~!) 
simply by T’ when this does not generate ambiguities. 

Most monads used to represent computation situations satisfy the above 
condition. For instance, for the monad T : S++ P(S), both 75 and 1g are 
the identity on sets. For the functor T: Si+ SU{1L}, 75 associates the 
singleton {s} to any s € S and the empty set to 1, and 7/~! associates the 
state s to the singleton {s} and 1 to every other subset of S which is not a 
singleton. 

It is important to note that less conventional monads such as the distribution 
monad classically defined by T: S+> {yw : S > R2|S > yu(s) = 1} are not 


ses 
directly applicable here. Indeed, the natural transformation 7 cannot be 


defined without losing the probability attached to states. To reacquire such 
a monad in the framework developed here, the powerset monad P should be 
applied to the set S x [0,1]. 

Following the authors in [17], branching systems are often expressed as a 
function of the form a: X + TFX where T : Set — Set is a monad (for 
branching type) and F' : Set — Set is a functor (for transition type). There- 
fore, whereas in [17], the authors encapsulate distributions in branching, we 
would encapsulate distributions rather in transitions, i.e, F: SH S x [0,1], 
and set T = P with conditions that for every s € S, > p= 1 (what 

(s’,p)€a(s) 

is substantially similar to the notion of bag in [7] to introduce a (elemen- 
tary) form of probabilistic non-determinism). Hence, the monad T being 
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1 remain the natural transformation 


the powerset monad, both 7 and 7'~ 
identity. 

The interest of computation structures as defined in Definition 1 is they 
will allow us to associate semantics (based on causal transfer functions) to 


components (see Definition 4). 


Definition 2 (Components) Let I and O be two sets denoting, respectively, 
the input and output domains. Let T be a computation structure. A compo- 
nent C is a coalgebra (S,a) for the signature H = T(O x _)! : Set —> Set 
with a distinguished element init € S denoting the initial state of the compo- 
nent C. 


By using the vocabulary of the theory of coalgebras [23, 37], a morphism 
of components is then a morphism between coalgebras, i.e. f : (S,a) > 
(S’,a’) is a morphism if f : S > S" is a mapping preserving initial states 
such that the following diagram commutes: 


S s! 
a| ba’ 
H(S) H(S') 


Let us note Comp(/7) the category of components. 


Example 1 (Encoder/decoder) We illustrate the notions previously men- 
tioned with an encoder/decoder system. Many other examples can be found 
in [1, 24]. An encoder/decoder is usually used to guarantee certain char- 
acteristics (e.g. error detection) when transmitting data across a link. A 
simple example of such an encoder/decoder is represented in Figure 1. It 
consists of two parts: 


e An encoder that takes in an incoming bit sequence and produces an 
encoded value which is then transmitted on the link. In our framework, 
this encoder is considered as a component E = ({80, $1}, 80,1) where 
the transition function a, : {89,81} —> ({0,1} x {so,51})" is 
graphically shown in the left of Figure 1. 


e A decoder that takes the values from the link and produces the original 
value. In our framework, this decoder is considered as a component 
D = ({qo,a1},9,02) where the transition function az : {qo,qa1} — 
({0,1} x {qo,q1})t° és graphically shown in the right of Figure 1. 
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As we can observe, both components are deterministic. Hence, they 
are defined over the signature \d({0,1} x _)!9 where Id is the computation 
structure defined by the identity functor ld as monad together with (1,n'—') 
where for every set S, ng: s++ {s} and i is any mapping that associates 
{s\ to s, and every subset of S which is not a singleton to a? given s' € S. 


{0, 1)" 4 {0,1}" 4 
1/1 1/1 
00 (40 61 lt] | 010 Ago 1 a8 D 1Y 
10 O|1 


{0,1}" | {0,1}" | 


Figure 1: Encoder (on the left) and Decoder (on the right) 


Following Rutten’s works [15], component semantics can be defined by 
causal transfer functions. 


Definition 3 (Transfer function) Let I and O be two sets denoting the 
input and output domains, respectively. Let us* note I” (resp. OW) the set 
of mappings from w to I (resp. O). A transfer function F : I’ —+ O” is 
a function that is causal, 1.e.: 


Yn €w,Va,y € 1%, (Vm,0 < m< n,x(m) = y(m)) => F(2)(n) = F(y)(n) 


In the following, to simplify the notations, we will prefer to note 7o,.g(a(s)(#))| 
with i = 1, 2 rather than using the more standard notation P(7m;)(No,.g(a(s) (2 
for the power set image of the projections. 


)) 
Definition 4 (Component semantics) Let C = (S,init,a) be a component 


over T(O x _)! ands € S. Let us note behe(s) the set of causal transfer 
functions F : I” —>+ O” that associate to every x € I” the stream y € OY 


3 As already explained in [1], in computation structure is never required that the couple 
(n’,7/—*) is unique given a monad T. However, for most of monads, this will be the case. 
When it is not, the choice of 7/~! is often irrelevant because all of them do it. 

“We note w the least infinite ordinal, identified with the corresponding hereditarily 
transitive set. 
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such that there exists an infinite sequence of couples (01, 51),-.-, (Ok, Sk);-+- € 
Ox S satisfying: 


Vj 2 1, (0), 83) € Noxs(a(sj-1)(@G — 1))) 


with so = s, and for every k €w, y(k) = o¢41. 
Hence, C’s semantics is the set behc(init). 

The interest of both natural transformations 7 and 7/~! is they allow 
us to “compute” for an input sequence (i9,...,in—1) all the outputs o after 
going through any sequence of states (sg,..., 8) such that s; is obtained 
from s;—1 by i;-1. Without them, we could not characterise s; with respect 
to a(s;—-1)(ij-1) because nothing ensures that elements in a(s;_1)(ij;-1) are 
(output, state) couples. Indeed, the monad T may yield a set with a structure 
different from O x S. The mapping 75,5 maps back to this structure. Woes 
is useful for going back to T. 


Example 2 The behaviour behge(so) of the encoder component E presented 
in Example 1 is defined by the unique function F : {0,1}” —+ {0,1}% defined 
for every x € {0,1}% by y € {0,1}% such that: 


e y(0) = 2(0) 


eVkK0O<k<w 


=1 and z(k)=0) or 


Under some standard conditions on the cardinality of behc(s) for every 
state s, we showed in [1] the existence of a final component. 


Next we define the standard notion of simulation and bisimulation [33, 
34] which will play an important role to show the adequacy of the logic 
(see Section 4). Moreover, abstraction of components will be based on an 
extension of simulation in order to take into account components defined 
over different signatures while simulation and bisimulation are defined for 
components over a same signature. 
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Definition 5 (Simulation and bisimulation) Let C; = (S1,init1,a,) and 
C2 = ($2, inite,a2) be two components over a signature H =T(O x _)!. A 
subset R C S, x So is a simulation if, and only if for all (81,82) € S1 x S2 
andi eT: 


81 R82 => |W(0, 81) € Noxs, (a1(81) (4), JO, 82) € Nox, (@2(s2)(i)), #1 R 85] 


We call R a bisimulation if both R and its (relational) inverse R~! are 
simulations. 


Finally, C, is similar (resp. bisimilar) to C2 if there exists a simulation 
(resp. a bisimulation) R such that init, R inite. 


As it is usual in the coalgebras theory, bisimulation can be expressed 
more concisely by the fact that the projections from R to S; and S» are 
morphisms, i.e. the following diagram commutes: 


Sy pe R as So 
o| [or | 
HS) eo HRY ASD) 


All the basic facts on bisimulations remain true in our framework. 
Among others, the greatest bisimulation between C; and C2, noted ~e,¢, or 
simply ~ when the context is clear, exists and is defined as the union of all 
bisimulations between C, and Co. 


Theorem 1 Let Cy = ($j, inity,a1) and C2 = ($2, initg,a2) be two compo- 
nents over a signature T(O x _)'. We have: 


Vs1€ S1, Vso E So, 8, ~ 82> behc, (si) = behc, (s2) 


Proof. 
(= >) Let t,7 € {1,2} such that i 4 j. Let F © behe,(s;). Let x € I’. 
By definition, there exists an infinite sequence of states 5;1,...,5in,... € 


S; with s;, = s; such that for every 1 > 1, (F(x)(l + 1), 8ia41)) € 
No,x5,(oi(si)(w(l))). By the fact that s; ~ sg, there also exists an infi- 
nite sequence $j1,...,5;k,-.. € Sj; with s;, = s; such that for every | > 1, 
(F(x)(1 + 1), 85041)) € No, xs, (7 (sj1)(@())) and sia41) ~ $7141), and then 
Fe behe, (s;). 
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(<=) Let RC S; x S2 be the binary relation defined by: 


FE behc, (s1) N behc, (s2), da E I” 

SU15-++5 Sikhs. +» © 91, 5821,---,82K,--. © Se, 
811 = 81 A 821 = Sa (Vj € {1,2}. ¥1 >i, 
(Fla\(l+1), 8304) € thy xa, (glen) (00) 


It is not difficult to show that RF is a bisimulation. 


8, Rs 


3.2 Systems 


Larger components are built through the composition of two basic integration 
operators: cartesian product and feedback. 


Cartesian product. The cartesian product is a composition where both 
components are executed simultaneously when triggered by a pair of input 
values. 


Definition 6 (Cartesian product) 

Let Cy = (S41, initi,a1) and Cy = (S2,init2,a2) be two components over 
Hy, = T(O, x _)"™ and Hy = T(O2 x _)”, respectively. The cartesian 
product ©(C1,C2) of C, and C2, is the component (S, (init, init2),a) over 
H =T((O, x Oz) x _)“*!2) where: 


e S=S, x So is the set of states, 
e init = (init), initz) is the initial state, 


ea: 5 —+T((O; x Oz) x S)"*? is the unique mapping such that the 


following diagram commutes?. 


Si a= Sy} x So => So 


| |o | 
T(n9,m1)™ T (8,19) 


Ai(S1) H(S) *, Ho(S2) 


where ae : O, x Op + O; and mi >) x Ip > I; with j = 1,2 are 
projections. 


°q@ exists and is unique due to the universal property of the product in the category 
Set. 
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Example 3 The Cartesian product ®(E,D) of the encoder component E 
and the decoder component D over the signature Ne = ([g,Og) with Ig = 
Og = {0,1} x {0,1} is illustrated in Figure 2. 


(0,1)|(0,1) 
(0,0)|(0,0) (0,0)|(0,1) (0,1)|(0,0) 
(1,1)|(0,1) ene Govc.o) deat (1,0)|(1,1) 
(0,1)|(1,1 
(0,0)|(1,0) (>-0) (0,1)|(1,0) 
ry (0,0)|(1.1) 


Figure 2: The product @(€,D) of € and D 


Feedback. A component with feedback has directed cycles, where an 
output from a component is fed back to affect an input of the same com- 
ponent [29] (see Figure 3). That means the output of a component in any 
feedback composition depends on an input value that in turn depends on its 
own output value.The feedback operator is then a composition where some 
outputs of a component are linked to its inputs i.e. some outputs can be 
fed back as inputs. In order to obtain a model which fits our component 
definition, we need to take into account the computational effects of the 
monad J. This monad impacts both the evolution of component states and 
the observation of its outputs. Therefore, the feedback link between outputs 
and inputs carries the parts of the structure imposed by T to the inputs. 
First, we introduce feedback interfaces for defining correspondences between 


Figure 3: Illustration of a system with feedback 


outputs and inputs of components and only keeping both inputs and outputs 
that are not involved in feedback. 
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Definition 7 (Feedback interface) Let H = T(O x _)! be a signature. A 
feedback interface over H is a triple I = (f,7i, 70) where f: Ix OI 
is a mapping, and 7; : I —> I' and m,:O —> O' are surjective mappings 
such that V(i,0) € I x O, f(f(i, 0), 0) = f(i,o0) and n;(2) = m;(f (i, 0)). 


The mapping f specifies how components are linked and which parts of their 
interfaces are involved in the composition process. Both mappings 7; and 
J, can be thought of as extensions of the hiding connective found in process 
calculi [21]. 


As this is usual when dealing with feedback, the existence of an instan- 
taneous fixpoint is required. 


Definition 8 (Well-formed feedback composition) Let H =T(O x _)! be a 
signature. Let C be a component over H and T = (f,7;,70) be a feedback 
interface over H. We say that the feedback of C over T is well-formed 
if, and only if for every (i,s)€ Ix S: 


1. Fixpoint property. 
Nox (a(s)(t)) 4 0 => Alo, s’) € O x S, (0, 8’) € Noy. g(a(s)(F(é, 0))) 


2. Preservation property. 
V(0, 8!) € OS, (0,8) € Nox 5(a(s)(F (4, 0))) => (0,8") € ox 3(a(s)(4)) 


By the fixpoint property of Definition 8, feedback will be allowed to 
make a pruning of transitions. Then, the preservation property of Definition 8 
which did not occur in [1] will then ensure that there is no transition has 
been added through feedback. This last property will be useful to obtain 
our preservation results of Section 5. 


Definition 9 (Feedback) Let T = (f, 7,7) be a feedback interface over 
H =T(Ox_)!. Let C = (S,init,a) be a component over H whose the 
feedback over T is well-formed. The feedback ©z(C) of C over TZ, is the 
component C! = (S,init,a’) over H' = T(O! x _)"" where a! is the mapping 
defined for every s € S' and every i! € I' by a'(s)(#’) = n&vy gr (IL) where IL 
is the set: 


{(0o', 8’) | A(i,0) € Lx O, (0, 8") € noxs(a(s)(F(4, 0))), melt) =, 7o(0) = 0°} 


(when no,.5(a(s)(t)) £0 then so is II because the feedback of C is well-formed 
over TL) 
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Here, feedback is defined in terms of its argument as concrete coalgebras. 
A definition of feedback has been defined in [1] in terms of its behaviors, and 
then built over the terminal model when it exists ©. 


Complex operators and systems 


Definition 10 (Complex operator) The set of complex operators is in- 
ductively defined as follows: 


e is a complex operator of arity 1; 


e if op, and op are complex operators of arity ny and nz respectively, 
then op; ® op2 is a complex operator of arity ny +19; 


e if op is complex operator of arity n and Z is a feedback interface, then 
©z(op) is a complex operator of arity n. 


Complex operators will not be necessarily defined when they are applied 
to a sequence of components. Indeed, for a complex operator of the form 
Oz(op), according to the component C resulting from the evaluation of op, 
the interface Z has to be defined over the signature of C and the feedback over 
C has to be well-formed. Hence, a system will be the component resulting 
from the evaluation of complex operators over a sequence of components, 
when it is defined. 


Definition 11 (Systems) The set of systems is inductively defined as 
follows: 


e for any component C over a signature H, (C)=C is a system over H 
and _ is defined for C; 


e if op, ® op2 is a complex operator of arity n = ny + ng then for 
every sequence (C1,...,Cn,,Cny41,---,Cn) of components with each C; 
over H; = T(O; x _)", if both op, and op, are defined for Cy,...,Cny 
and Cn,+41,---;Cn respectively, then op; ® ope(Ci,...,Cn) = S1 ® Se 
with Si = opi(Ciy<ss,Cy,) and So.= ope(Cn4a;:.4Cn) 00er A, = 
T(OLx_)" and Hi, = T(O$x_)”, is a system over T((O!,xO4)x_)1*% 
and op; ® op2 is defined for (Ci,...,Cn), else op; ® op2 is undefined 
FOT (Cisoricly)? 


Indeed, as already explained, this terminal object does not always exit, and depends 
on constraints on the cardinality of behc(s) for every state s. 
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e if Oz(op) is a complex operator of arity n, then for every sequence 
(C1,...,Cn) of components, if op is defined for (C1,...,Cn) with S = 
op(Ci,...,Cn) is over H, T is a feedback interface over H and the 
feedback of S is well-formed, then Oz (op)(Ci,...,Cn) =Ozr(S) is a 
system over H' and’ Oz(op) is defined for (C1,...,Cn), else Oz(op) 
is undefined for (Ci,...,Cn). 


In [1], we showed that most of standard integration operators such as 
sequential, concurrent compositions or synchronous product can be obtained 
by composition of feedback and product. Moreover, both basic and complex 
operators can be defined on transfer functions (see [1] for their complete 
definitions). Hence, if for every complex operator op, we note Op its equivalent 
on transfer functions, we have the following compositionality result: 


Theorem 2 (Compositionality) [1] Let op be a complex operator of arity n. 
Let Cy,...,Cn be components. If C = op(Ci,...,Cn), then 


behe (init) = op(behg, (initi),..., behe,, (énitn)) 


Similar compositionally results have been obtained in [16, 18] but in 
a more categorical framework. Following notations in [16, 18], from set of 
complex operators we can easily generate an algebraic signature that can 
be seen as an F'P-theory L over a basic set of sorts S C Set x Set where 
for (In, Out) € S, In and Out denote input and output sets, respectively, and 
operations are complex operators (a monad T is supposed identical for every 
couple (In, Out) in the F'P-theory L). Outer models can then be defined 
along the functor C : L —> Cat that associates to any couple (In, Out) the 
category Comp(H) with H = T(Out x _)'" and to any operator the partial 
functor defined in Definition 10. Finally, inner models are defined by the 
natural transformation X : 1 == C where 1 is the constant functor that 
associates to any S € L the trivial object category 1, which to any couple 
(In, Out) associates the final object ° in Comp(H) and to any complex 
operator op, the mapping on behaviors noted |[op]] in [16, 18] that contains 
op semantics on both components and transfer functions. 

The difference between our works and those mentioned above is to have 
defined integration operations by composition of two elementary operators, 


“H’ is the signature of the feedback. 
SThis then requires constraints on monads to ensure the existence of such a terminal 
model in Comp(H). 
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product and feedback and not as a term algebra. The interest was then to 
demonstrate a set of general properties on these integration operators such as 
the results of compositionality given in [1] or of correctness-by-construction 
that will be given in Section 5, by showing that these properties are valid 
for the product and feedback and are preserved by composition. 

Hence, Theorem 2 is similar to Theorem 4.7 in [18] at least in these 
goals to establish a generic result of compositionality independent of a given 
integration operator. 


Example 4 (Encoder/decoder) In this example, we show how the en- 
coder/decoder system can be built from both encoder E and decoder D com- 
ponents presented in Example 1. As Figure 4 illustrates, the encoder and 
decoder components are interconnected side-by-side in which the output (i.e. 
0 or 1) of the first is the input of the second. This kind of composition is 
known as sequential (or cascade). The reaction of the resulting component 
consists then of a reaction of both E and D, where € reacts first, produces its 
outputs, and then D reacts. That is to say, when E is triggered by an input 
i from the environment, E executes i and the produced output is fed to D. 


{0, 1} SE el E 


>| D > {0,1} 


Figure 4: Sequential composition 


As already said above, the sequential composition, noted >, can be naturally 
defined using both the feedback operator Oz and the cartesian product ® by: 


> (€,D) =Or(E ® D) (1) 


where I = (f,7i,%0) ts the feedback interface defined for every (i,i’) € 
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{0,1} x {0,1} and (0, 0’) € {0,1} x {0,1} as follows: 
f((4,7), (0,0')) = (4,0), mi((,7/)) =i and 1,((0,0')) =o! 


Let us now construct the encoder/decoder as a composition of the encoder 
and the decoder as illustrated in Equation 1. We first define the Cartesian 
product @(E,D) of E and D as illustrated in Example 3 (see Figure 2). It is 
easy to see that @(E,D) is a well-formed feedback composition over LT. Let 
us check this for (so, qo): 


e ((0,0), (so, 90)) € 1 (@@((S0, G0))(F((0, 0), (0, 9))))), 
e ((1,1), (s1,%)) € 1 (a@((s0, a0) )(F(2, 1), 1): 
e ((0,0), (so, 90)) € 1'(@@((s0, g0))(F((0, 1), (0, 9))))), 
e ((1,1), (s1,%)) € 1'(a@((s0, g0))(F((2, 0), 2, 1): 
and for (s1,4q0): 
© ((1,1), (s1,41)) € 1 (aa((s1, 90))(F((0, 9), (1, 1)))) 1 
© ((0,0), (s0,40)) € 1/(@@((s1, 90) )(F((1, 1), (0, 0))))), 
* ((0,0), (s0,40)) € 1/(@@((s1, 90))(F((1, 9), (0, 0))))), 
e ((1,1), (81,91)) € 1 (aa((s1, 90))(F((0, 1), (1, 1)))) 1 
Then, we can apply the feedback operator Oz on @(E,D). This leads to a 


new component Oz(@(E,D)) (see Figure 5) where all outputs of E (i.e 0 and 
1) that are fed back to D are hidden (i.e. synchronized). 


Figure 5: The encoder/decoder system 
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4 Component Logic 


We present a logic £ for components and systems and define its semantics. 
This logic is a slight extension of p-calculus to input and output values 
as done in [10], except that we will also quantify over input and output 
variables. Quantifying over input and output variables will allow us to 
manipulate formule independently from a given component or system (i.e. 
independently from a given signature). In the next section, we will show 
that properties involving quantification are the only properties which can be 
exported from a component to the system to which it belongs, because they 
are independent of signatures. 


4.1 Syntax and Satisfaction 


In the next definition, we need a set of supplementary variables, called fixed 
point variables, to express formulee in p-calculus that denote recursion on 
states. To differentiate these variables from the input and output variables, 
we will denote input and output variables by x, 2',21,29,.-., Ys Y's Y1s Yas->- 
and fixed point variables by Z, x’, 27, %2,...,9,y',91,92,---° 


Definition 12 (Component formule) Let H = T(O x _)! be a signature. 
Let X be a set of fixed point variables. Let V = V;]] Vo be!® a set variables 
such that variables in V; (resp. Vo) are called input (resp. output) variables. 
The set of formule CL is given by the following grammar: 


yp = true| T| wilyol [elel yl gidgel Vee] va 


where x; € Vi UI,yo € VwUO,x4 € VE © X and w is a formula in the 
logic that may contain occurrences of the variable © provided that every 
free occurrence of & in w occurs positively, 1.e. within the scope of an even 
number of negations. 


A formula yp is closed when every fixed point variable ¥ is within the scope 
of an operator vz, and every input (resp. output) variable x (resp. y) is 
within the scope of a quantifier Vx (resp. Vy). 


°lt is worth to note that x and & are independent variables. % is not obtained from x 
by applying any mapping = to input and output variables. The over line over letters is 
just a notation to differentiate fixed point variables from input and output variables. 

1°TT is the disjoint union of sets. 
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Intuitively, a formula of the form [x;|y stands for a state formula, and states 
that after performing the input «;, all immediately reachable states satisfy 
y. A formula of the form x; | y stands for an output formula, and states 
that it is possible to produce the output y, after performing the input x;. 
In practice, in such formule, x; and y, will be often elements of J and O 
respectively, and not variables in V; and Vj. Finally, a formula of the form 
vz.y stands for a formula that expresses a recursion on states and is defined 
semantically as a function with fixed points. Indeed, each formula y, free 
fixed point variables of which are among {7%,...,%,}, can be semantically 
defined as a function f, : P(S)” + P(S) that given n subsets of states 
in S' yields the set of states that satisfy y. Therefore, a formula y of the 
form vz.y that can be seen as a ”looping”, denotes the greatest fixed point 
of the function fy : S’ > fy(...,5",...) where fy : P(S)” > P(S) and 
2; = & (i.e. we force the free variable Z; to be interpreted by S” in w). It 
is well-known that such a fixed point exists when f, is monotonic on P(S). 
The condition that every free occurrence of % in w occurs positively, ensures 
monotonicity [11]. In this paper, we will not interpret each ji-formula y as a 
function f,, but will prefer to follow a more classical definition of satisfaction, 
i.e. defining a binary relation / between components and p-formule. 


Example 5 We give here some formule that are about the encoder and 
decoder components E and D presented in Example 1. 


e A state having an outgoing transition labeled by 0|0 can be reached: 


podeiae VOLO 


e There exists an infinite path of € that passes infinitely often by states 
having an outgoing transition labeled with 0|0: 


ve (ng (0 | OV aaix)y) A aelan)e 


In the following, we will be sometimes led up to use some derived 

operators: (x;)p = > -[x;|n9, false < true, dx.p < Ve.nyp and 

Ve.w px.’ where yw’ is the formula obtained from w by substituting 
~¢ for % in all free occurrences of % in w 


Definition 13 (Satisfaction) Let C = (S,init,a) be a component over 
T(O x _)!. Let g be a formula in L. For every fired point variable in- 
terpretation \: X —+ P(S'), every input and output variable interpretation 
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t:V—>IUO such that for every x € V; (resp. x € Vo), ua) € I (resp. 
u(x) € O) and for every state s € S, C satisfies y for s,u. and X, noted 
CEsir YY, if, and only if: 


eC Fe. true 


© CEs. % iff s € A(z) 


ae Fs, Lit Yo Uf (Yo) € Nox. g(@(s)(U(i))) |, 
© CFs. [eilye’ VS! € Nox s(a(s)(U(2i))) 26 Fea & 
CK sy,a VE. iff IS" CS such that s € S' andVs' € S',C Fev nisr/ay V 


Here, A[S'/Z] is the interpretation such that, r[S"/z](z) = S’ and 
ALS" /Z] (a!) = A(2’) for every x! # =. 


e Propositional connectives and quantifier are handled as usual. 


C satisfies a formula y, noted C FE y, if and only if for every valuation Xr 
and every valuations: V > IUO,C Finity, Y- 


From Definition 13, it is obvious to show that for every closed formula 
y and every state s € S: 


VA: X + P(S),VWe:V > IUO,C Fer P&C sg Y 


where () : X — P(S) is the fixed point variable interpretation that associates 
the emptyset 0 to every  € X, and C —,9 y means that for every input 
and output variable interpretation 1, C F,,9 y. Hence, for closed formule, 
both input and output variable interpretation and fixed point variable 
interpretation are irrelevant, the latter being calculated for the satisfaction 
of the closed formula. 


The derived operators are then interpreted as follows: 


0 CRs (vi) iff Js’ € oy g(a(s)(U(@i)))ia€ Feta 0 


eC Ks. ue. if VS' CS ({s Ee S|S Fs v,A[S! /z] Wi CS’ >s€S") 


By convention, u(2;) = 2; (resp. 1(yo) = yo) when x; € I (resp. yo € O). 
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We would be able to resort explicitly to the w extension of logics induced 
by the functor H in the spirit of the standard coalgebraic logic such as defined 
in [36]. Indeed, following [36], the modality [_] can also be defined through 
natural transformations p(i) : H + P where i € I such that for every set 
S € Set, pli)s : f 4 nox g(f(t))|,- The modality [a;] then becomes by 
taking the notations in [36], the modality , and has as semantics: 


L(x) 


C sud On(aiyb => Vs" € w(e(wi))s(a(s)),C Fear ¥ 


In the same way, atoms of the form i | o can be induced by natural 
transformations i | 0: H — 2 where 2 = {true, false} defined by: 


iTos: fr As! €S,(0,8") € noxs(f() 
This leads to the following satisfaction definition: 


—_——~ 


CK s1,d Li + Yo > (U(2i) + U(Yo)) g 0 a) (8) = true 
This, it is on, will give a more categorical definition of the logic but 
perhaps less practical in its use. Our goal here is to give a formal framework 


for system engineering. That is why we prefer to follow the approach 
developed in [10]. 


4.2 Adequacy and Characterization 
The following theorem shows that £ is expressive enough to characterize 


bisimilarity. 


Theorem 3 (Adequacy) Let Cy = (S41, inity,a 1) and Co = ($2, initz, a2) be 
two components over T(O x _)! that are finite image i.e. Vj = 1,2,V(i, s) € 
Ix S;, Nox s; (a;(s)(i))| < co. Then, we have: 


(VWe,C1 Fy SCe2- y) init, ~ inite 


Proof. To prove the only if implication, let us suppose that init, ~ inito. 
Let A2: X > P(S2). Let us define 1 : X — P(S1) by: 


A1(Z) = {s1 | dso € A2(Z), $1 ~ so} 
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It is quite obvious to show by structural induction on formule that for every 
yp: 


Cr Sai SO Bie 2 
We can apply the same reasoning from any valuation \, : X + P(S‘). 


For the converse (the if part), let us define the relation = C S) x So as 
follows: s = s’ iff for every \: X + P(S)), and every 1: V > IUO, 


Vp,Ci 8,r\ P Co | sit, P 


where \’ : X — P(S2) is the mapping that associates the set {s’|4s € 
A(Z), 8 = s'} to each @ € X. Let us show that =C~. Let us suppose that 
s = s'. By definition, this means for every \ : X — P(S,), every i € I 
and every 0 € 7ox¢,(a1(s)(2))}, that Ci Fs,, 7 | 0, and then by hypothesis, 
Co Fs to, ie. 0 € 1o,¢,(2(s’)(z))),- It remains to prove that for every 
5 € nox g, (a1(s)(#))|,, there exists 5’ € no,.g,(@2(s’)(4))|, such that 3 = 5’. 
For a given 5 € 7o,.g, (a1(s)(z))),, let us suppose the opposite, i.e. there does 
not exist such a 3’. By hypothesis we have for every mapping A that Ci s., 
(7) true and then Cy K.’,," (7) true. Hence, the set 7,.¢,(@2(s)(7))), is not 
empty. Now, to have supposed the contrary, for every 3’ € NOx 8 (2(8)(4))Io; 
there exists a formula yy such that Ci Fs... vy and QKy, py. By 
hypothesis, the cardinality of 76,..¢, (@2(s)(7))), is finite. Therefore, we have 
Cr Esa (i A dy and Coy, (i A ty 

BEND y gy (22(8)(4)) |g BEND yg, (22(8)(4)) 9 
what is not possible as s = s’. 


When bisimulations rest on the same component, we have further the 
following result: 


Theorem 4 (Characterization) Let C = (S,init,a) be a component with 
finite image over a signature H = T(O x _)! such that I is finite. Then 
there exists for any s € S, a closed formula ys such that: 


Vs' €S,s~s' SC Egg Ys 


Proof. Let us associate to any state s € S, the variable x, € X, and let us 

define the formula @, = vxs.ts where ys = \ (Gy wert o. 
1€T,(0,8' Eno y g(a(s)(4)) 

Then, let us define ys as the formula obtained from G, recursively as follows: 


e Do = {as} and yf = %,; 
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e y' is the formula obtained from vy’! by replacing every variable 
ay € Ti-1 by Ge, and 


PT; =Ty-1U {xy | rg has been replaced by Gy in vit} 


Then, let us set ps = y?. S being finite, this process is terminating. Hence, 
every fixed point variable in ys is within the scope of fixed point operator v. 


Let us suppose that s ~ s'. Then, we can easily show by induction 
on the number of nested occurrences of v-formule in ps that C F.9@ Ys. 
Let us suppose that this number is one. This means that there exists 1 € I 
and o € O such that (0,8) € Noy g(a(s)(t)) and then ys is of the form 
Vrs.(i) ts \i lo. It is obvious that in this case CF. 9 Ys. It is sufficient to 
choose S' = {s}. Let us suppose that the number of nested occurrences of 
v-formule in ps is greater that one. Then, this means that ys is of the form 
Vis: \ (i) ys At Lo where ps is a closed formula except 

1€1,(0,8')Eno y g(a(s)(é)) 
maybe for the variable x,. By definition, we know that (0, s') € nox. 5(a(s)(2)). 
By induction hypothesis, we have that C Fy 9 Ys, and by hypothesis C Fs 9 
ilo. ps is closed except for xs. Therefore C Fsjz,/{s}] (i)~s'- We can 
then conclude that C —.9 Ys. By Theorem 8, since s ~ s', we also have 
C -s'0 Ps: 

Conversely, let us define the binary relation = on S' by: 


s=s' oC -s/0 Ps 


Let us show that = is a bisimulation over S. Let i € I and (0,8) € 
Noxs(a(s)(i)). By definition, C Ey gil o. It remains to prove there exists 
s’ such that (0, 8’) € Noy. g(a(s’)(i)) and 5 = s’. Let us suppose the contrary, 
i.e. ClEy gps. We then have that C Fy 9 Pslrs/Ps]. As ps ts closed, we also 
have that C F.9 ps which is impossible since s = s'. The same reasoning 
can be carried out for =~'. 


5 Correctness-by-construction 


Here, we are interested in building correct systems from correct compo- 
nents, i.e. we are going to give correctness-by-construction results. These 
correctness-by-construction results rest on component properties that can 
be exported to systems. These exported properties have then to be able to 
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be expressed independently from any component and system. Indeed, the 
correctness-by-construction results can only concern formulee that do not 
contain concrete inputs and outputs (i.e. some 7 € I and o € O) so that 
they can be interpreted by both the component and the system where it is 
plugged on. Therefore, they relate all the formule in £ containing no input 
and output values, i.e. all the formule: defined by the following grammar: 


py = true| =| [zly| -y| pAgy| Vayp| vey (2) 


where @ € X and z € V; (the set of input variables). Note that whatever 
the signature H considered, the set of formule defined by Grammar (2) is 
always the same. This will be also the case for other logics defined in this 
section. 


This grammar is sufficient to express most of interesting general properties 
on both systems and components such as the fact they are deadlock freedom: 


aa 


vz.(sau.(x)true A Vy.[y]Z) 


or the fact any path is finite: 


peVa.[x\e 


or conversely, there exists an infinite path: 


VE AGA) E. 

It would be easy to put a set of propositional variables P in signatures, 
and then to add a mapping 6: S — 2? to components. In this case, we 
would be able to express supplementary properties such as it is possible to 
reach a state satisfying a propositional variable p: 


pep N Ae eye 
Such formulee are completely preserved along Cartesian product, that 


is to say any system of the form @(C1,C2) satisfies all the properties of its 
components C; (for i = 1,2) and nothing more. 


Proposition 1 (Preservation by product) Let Cy = (S1,init;,a 1) and C2 = 
(So, init2,a2) be two components over H, and He, respectively. Then, for 
every formula yp defined by Grammar (2), we have: 


(21.2. C; Poe] CH= o 
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where C = (S,init,a) is the Cartesian product C = ®(Ci,C2) of Cy and C2. 


Proof. By structural induction over y, we first prove the following property: 
V(s1, 82) € S,VA: X > P(S), Ve: V > TUO, 


Ci Fsi,u,A1, pt=1le2——C (s1,82),0,0 P 


where A), : X — P(S;) is defined by: 


EH {sj | Jsj € Sj, At, (81, 52) € A@)} 

u,:V > 1,U O; is defined by: x + u(z)),. 

Therefore, let (s1,52) € S. Let A: X — P(S) be a valuation. Let 

ut: V + IUO bea variable interpretation (recall that J = I, x Ig and 
O= O71 x Oz). 

Basic case: this is obvious for true. For y = %, the equivalence rests on 

the following equivalence, that is true by definition of A), for every 7 = 1, 2: 


(s1, 82) € A(Z) => 8; € \,(Z),i = 1,2 
General case: many cases have to be considered: 


oy = (eld. Let (54,55) € mbxs(a((si,s2))(0(2)))g- By induction 
hypothesis, we have: 


Ci Fest.u,.¥1, Wi=12—$C F(s4,04) 0, w 


By definition, if (s{, 85) © no, g(a((s1, $2))(U(x))),, then for every i = 
1,2, 5; © 16, xg,(i(si) (4), (&)))|,- If we suppose that Ci Fs,,1),,a,, [z]v 
for every i = 1,2, then C; Fst,u),), w, whence we can conclude that 
C F(s1,82),0, [a]. 


Let us suppose that C Fs, ,s9), [a], and let 5; € 1,9, (ai(si)(4,(@)) Jp 
for each i = 1,2. Therefore, we have that C Fs, 51)... Y, Whence for 
every 7 = 1,2, we can conclude that C; Fsiu,., [a]w. 


e p=v7z.W. Let us prove the only if part. Let us suppose S$’ C S$ such 
that (s1, 82) € S" and for every (s1, 8) € 9’, C Fis .s4),a[5//a] V- By 
induction hypothesis, we have that C; — su), AS'/FI), w that is equivalent 


26 M. Aiguier, B. Kanso 


to C; Fst,u),.1, (5%, /2 yw where Si, = tse | As' E S;,j A 4, (84, 89) € S'}, 


whence we can conclude that C; Fs... Ay, VE.wW. 
v a 


Conversely, let us suppose for every i = 1,2 there exists Si C S$; such 
that s; € Si and for every si € Si, C; Fst,uy,..1, [94/21 yw. Let us set 
S’ = Si x $4. Obviously, we have (51,82) € S’. By the induction 
hypothesis, we can write C Fs: s4),[s'/a] W for every (si, 85) € S" 
whence we can conclude that C (51,82). YEW. 


e The cases for the propositional connectives A, and the quantifier V 
are obvious. 


Therefore, let us suppose that for every formula vy and every 7 = 1,2, C; E y. 
Let \: X > P(S) andv: V > IUO. By hypothesis, we have that for every 
i= 1,2 that C; Finiti,u,., y and then C Finit., Y- 

Inversely, let us suppose that for every formula C | vy. Let 7 € {1,2}, 
Ni: X > P(S;) and uy: Vi > LUO;. By definition, there exists \ : X > P(S) 
andv:V —+JIUO such that A), = A; and 4, = 4;. By hypothesis, we have 
that C Finét.,. Y, and then Cy Finit;1;,A; Y- 


On the contrary, with feedback, as we can see in Example 4, when 

applying the feedback to the Cartesian product of encoder € and decoder C, 
we prune transitions. Hence, we cannot ensure property preservation from 
©z(C) to its component C. Actually, the problem comes from formule of the 
form [x]w which are here of the type of emergent properties for composability, 
that is, properties that call into question components behaviour (here C’s 
behaviours) when components are integrated into systems (here through 
feedback). Indeed, emergence being the result of transition pruning, it may 
be that in ©z(C) all the transitions that invalidate y have been removed 
from C. 
Dually, formulee of the form (x)~ cannot be preserved anymore from C to 
©z(C). As we are interested by a correctness-by-construction result, to 
preserve properties along feedback, we need to restrict the expressive power 
of the logic and then preventing formule of the form (x)~. Hence, we 
obtain a first correctness-by-construction result for feedback by restricting 
formulee defined by Grammar (2) to the following grammar: 


g = true| false] =| [tle] pCy| Qry| @ry' (3) 
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where C € {A,V,>}, Q € {V, 4}, @e {p,v}, and y’ is a formula built ac- 
cording to the rules of Grammar (3) in which Z occurs positively. Positiveness 
of % in a formula y where Z is free, is defined as follows: 


e if gy =true or y = false, then Z is positive in y; 
e if p=¥, then Z is positive in y iff 7 = 7; 
e if yp = [z]y’, then Z is positive in ¢ iff Z is positive in y’; 


e ifp=pgiAve or y= 1 V $2, then Z is positive in y iff % is positive 
in y; and yo; 


e if p= 1 => 2, then Z is positive in y iff F is not positive in y, or 
is positive in yo; 


e if p= @y.y’ with @ € {u,v} (necessarily, we have 7 4 7), then Z is 
positive in ¢ iff Z is positive in y’. 
The fact that % occurs positively in y’, also ensures that f, is monotone. 


Proposition 2 (Preservation for feedback 1) Let C = (S,a,init) be a com- 
ponent over H, and let ZT = (f,7;,70) be a feedback interface such that 
Orz(C) = (S,a’, init’) is defined. For every p defined by Grammar (3), we 
have: 

CE y= O7C) FY 


Proof. By structural induction over y, we first prove the following property: 
Vs ES,VA: X > P(S),Ve:V 3 IUO 


Cc eee Y = O1(C) Oe, Y 
where ue’ : V + 7;(I) U m0(O) is defined by: 
(a) mi(u(z)) ife eV; 
L = 
To(u(x)) otherwise (i.e. x € Vo) 


The basic cases defined by the formule true, false and & are obvious. 
For such formule y, we can even prove for every s € S, every 1: X > P(S) 
and every 1: V > IUO that 


C Fsau 9 O1(C) Fs,au 9 


For the general case, many cases have to be considered: 
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eo = [a]y. Let s’ € no, g(a’(s)('(2)))|,. By definition, this means 
there are i € I and o € O such that (s’,0) © no,.9(a(s)(f(i,0))) 
and v(x) = m(i) = m(f(t,0)). Hence, by the second property of 
Definition 8, (s’,0) € No,.¢(a(s)(t)). Therefore, by hypothesis, we 
have that C Fs, Y. Hence, by the induction hypothesis, we have 
Or(C) Fs,,7 Y, whence we can conclude that Oz(C) Fs.aw Y. 


e »=v7z.1. By hypothesis, we know there exists $’ C S such that s € S’ 
and for every s’ € S’, C Fg y/sr/a], Y. By the induction hypothesis, 
we then have for every s’ € S’ that Oz (C) Fs,,[9"/z," V- Therefore, 
we can conclude that Oz(C) Fs, Y. 


e y= yz.. Let S’ C S such that {s’ |Oz(C) Fe xpsya Y} CS’. By 
the induction hypothesis, we have {s’ | C Fg-,,js-/a. UY} S {s' |Oz 
(C) Fs',x[8"/a]u UY}, and then s € $’. Therefore, we can conclude that 
Oz(C) Ady Y. 


e The cases for the propositional connectives A, V,=> and the quantifiers 
4,V are not difficult to treat. 


Hence, let \ : X — P(S') be a valuation and let v’ : V > I’UO’' be a variable 

interpretation. By definition, there exists 1: V > I UO such that for every 
ree | EY ate eV; 

ideas! ts { To(u(x)) otherwise (ie. x € Vo) 

By hypothesis, we have C Finit,,,, ¢, and then by the property above, we 

also have Oz(C) Finit,x” &; Whence we can conclude Oz(C) F ¢. 


The problem is that Grammar (3) is too restrictive and many examples 
of formule given previously are not taken into account by such a grammar. 
When we look more closely at this kind of formule, they are closed and their 
semantics is expressed by the membership of an outgoing state of a transition 
labeled by x or y to a set of states. Such formule being closed, their semantics 
then consists in checking that the state as argument of validation belongs 
to the smallest or the greatest fixpoint according to the way fixed point 
variables are quantified !?. Thus, the formule that we will take into account 
are all the formulee defined with the following supplementary restrictions: 


Here, we are only interested by the membership of states into a set of states and not 
non-membership, because all fixed point variables are in the scope of an even number of 
negations. So at the end, if one pushes the negation to be adjacent to atoms, negations 
cancel. 
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e Negation is removed, and 


e For every sub-formula of the form (x)q and [a]q, the variable x 
is in the direct scope of a quantifier V or 4, respectively, and w is 
a positive propositional formula, i.e. a formula defined by the 
following grammar: 


yp = true| Z| pAY| ¥vvVy| voy 


Therefore, the formule which will be considered here are generated by the 
following grammar: 
yg = 0| @zy’| pAg| evel g=H (4) 


where @ € {1,v}, y’ is a formula built according to the rules of Grammar (4) 
in which % occurs positively, and @ is a state formula defined as follows: 


OC) = oh | Melee] Se |) OW8)| OVE .|| Oe 


where w is a positive propositional formula. 


The expressive power of such formule is now sufficient to describe all 
the examples of general properties given at the beginning of this section. 


Here, when formule are closed, the obtained preservation result is both 
sufficient and necessary. 


Proposition 3 (Preservation for feedback 2) Let C = (S,a,init) be a com- 
ponent over H, and let ZT = (f,7;,70) be a feedback interface such that 
Oz(C) = (S,a’,init) is defined. For every closed formula » defined by 
Grammar (4), we have: 


CE yp Or(C) Fe 


Proof. Let vy be a closed formula. Let %1,...,%, be its fixed point variables 
such that: 


1. for every i, 1 <i <n, there exists a unique sub-formula of the form 
@;7;.y; in y with @; € {p, v}, 
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2. and for every i,j, 1<i,j <n, if posy(@Qi%;.~p;) < pos,(Q;%;.y~;) then 
. . 13 
i<j. 


By the structure of y, for every i, 1 <i <n, if we note S; the least (resp. 
the greatest) fixpoint (in that @; is yw or v) for the mapping f : S’ + {s’ € 
Sj ifj <i 
otherwise 
and S/ is the least (resp. the greatest) fixpoint (in that @; is w or v) for 
the mapping f’: S’ +> {s' € S |Oz(C) Fs,y197/z,] Qi%i-yvi} where S’ C S 
oS. i ee4 

and 4! : £j +> : , then the proof of Proposition 3 amounts 
otherwise 

to show the following equivalence: Vi,0 <i<n,Vs € S, 


S|C Ksy15"/e,) Qi%i-pi} where S’ C S and A: 7H 


7) 


C 5.0183 /F15..,Sn/En] Pi Or(C) F018! /1,....5%,/Bn) Vi (5) 
where yj is obtained from y by replacing recursively every sub-formula 
Q;X;.y; by Y; (i.e. all fixpoint operators have been removed). 


The proof of (5) is done by structural induction over y;. Among the 
basic cases, the only two cases a little complicated are Vx.[x]q and dx.(x)w. 


e yt = Vx.[x]v: 

(=) Let 2 V > UO’ and let 8’ € no yg(a'(s)(U'(z)))),- By 
definition, this means there exists (1,0) € I x O such that (0,s’) € 
Nox.g(a(s)(f(i,0))) and m(2) = v(x). By the preservation property 
of Definition 8, we have that (0, s’) € No,.9(a(s)(é)). Therefore, by 
hypothesis, we have C Fs 9/5, /zy,...,5,/z,] V- It is not difficult to show 
by structural induction on yw and by the fact that for every 7,1 <<i<n, 
S* C S; (a simple consequence of the way the least and the greatest 
fixpoints are calculated), that in this case Oz(C) Fs ois" /m,....5%,/Fn] V- 
We then conclude that Oz(C) Fs,o[s1 /a1,....5!,/@n] Pi 

(<=) Let 0: V + IUO and let 8’ € ng, 9(a(s)(U(2)))|.- By the fixed- 
point property, this means there exists (0, s”) € No, g(a(s)(f (L(x), 0))). 


'3Formula: can be standardly represented by trees. Using a standard numbering of tree 
nodes by natural number strings, we can refer to positions in a formula tree. Thus, given 
a formula tree y, a position of y is a string w € N* which represents the path from the 
root of y to the sub-formula y’ whose the root occurs at that position. We note pos,(y’) 
this position, and ~ is the lexicographic order over positions. 
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Moreover, we have Oz (C) Fs g[s/ /a4,...,8%,/En] Y- By definition, 7 
is either logically equivalent to true or expresses some membership 
properties on %;. Hence, for each of these 7;, Si # (), and then by the 
way the least and the greatest fixpoints are calculated, s’ € S;, whence 
we can conclude C Fs 9[5, /z,,...,Sn/En] Pi 


ey, = dx.(x)y: 

(=) Let : V + IUO such that there exists s’ € 7, g(a(s)(u(7)))|, sat- 
isfying C Fs! 0[51 /21,...Sin/Zn) U- By the fixpoint property of Definition 8, 
this means there exists o € O such that 75,.¢(a(s)(f(u(x),0))) 4 0, 
and then 15,.9(a/(s)(mi(e(x)))) AO. w defining membership prop- 
erties on some %;, for such %;, by the way both least and greatest 
fixpoints are calculated, we have that S$’ no, ,.5(a"(s)(mi(U(2)))) |. #9, 
whence we can conclude Oz(C) Fs,0[91 /z1,....,5%/Fn] py. 

(<=) Leto’: V > I'UO' such that there exists s’ € no ,.g(a’(s)(U'(2))) 5 
satisfying Oz(C) Fs 0[s'/x.,....S%,/En] ¥- By definition, A(z,0) € 1x O 
such that (0, s’) € Noy.g(a(s)(f(é,0))) and m;(7) = (x). By the preser- 
vation property of Definition 8, we have that (0, s’) € no,.g(a(s)(2)). 
It is not difficult to show by structural induction on w and by the fact 
that for every i, 1 <i <n, Si C S; (a simple consequence of the way 
the least and the greatest fixpoints are calculated), that in this case 
C Fs',0[51/z1,..Sn/En] Y- We can conclude C F5.9(9, /z4,...,5n/En] Pi 


Theorem 5 (Correct-by-construction) Let op(Ci,...,Cn) be a system over 
a signature H = T(O x _)! where each C; is over Hy = T(O; x _)" for 
every i, 1<i<n. Let y be a formula satisfying the same conditions as in 
Proposition 2 (resp. in Proposition 3).Then: 


Vil <isn, Ci Ep => (resp. =>) op(Ci,.-.,Cn) FY 


Proof. By induction on the structure of the complex operator op by applying 
Propositions 1 and 2 (resp. 3) . 


Hence, the result we have established here is a result of correctness- 
by-construction by composability ([41]). This result is sufficiently general 
to be applied to both most of integration operators and a large family of 
formule (at least, most of formulee expected on system behaviors). 
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6 Abstraction/Refinement 


6.1 Definition 


Abstraction allows us to consider the right systemic level for describing 
systems, according to modeling needs. It is thus a fundamental tool to deal 
with the growing complexity of systems by hiding unnecessary low-level 
details related to system behavior. It helps people to better understand a 
system and makes easier the formal analysis by working on abstraction of 
systems. 

By Definition 11, systems being defined finally as components, abstrac- 
tion of systems will be based on the abstraction of components. 


Abstraction can be seen as the inverse of refinement. Then, as this 
is usual when dealing with the formalization of systems by state-based 
machines, component abstraction will be naturally defined from the concept 
of simulation to consider that transitions of the abstract component are 
preserved in the concrete one [32]. However, the concept of simulation as 
defined in Definition 5 needs to be revisited in order to take into account 
the fact that the two systems in play in the abstraction can be defined 
over different signatures. The main idea is abstraction/simulation can 
be understood as a zoom from the point of view of overall behavior, i.e. 
a transition in the abstract system can be ”zoomed” into a succession 
of transitions in the concrete system in such a way all the intermediate 
observations are only inputs and outputs that are not contained in the 
abstract signature. 


Definition 14 (Simulation revisited) Let H = T(O x _)! and H' = T(O' x 
J" be two signatures such that I' C I and O' C O. Let C = (S,init, a) 
and C! = (S',init',a’) be two components over H and H', respectively. A 
binary relation R C S’ x S is a simulation if, and only if s’ Rs implies for 
every i’ € I’, and every (0',3’) € noryg(a’(s’)(1’)), there exists i1,...,in € I, 
so € S' and (01, 81),---, (On, Sn) € O x S such that: 


© s=50; 


e i, =i andon =O; 


Ws 1 <j < n, (0;, 5;) € Noxg(a(sj—1) (4); 


Vil<j<nijel\r; 
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© Vj,1<j<n,0j €O\O;; 
es RSp. 


R is a bisimulation if, and only if R is a simulation and s’ R s further 
implies for every 11,...,4n € I and every (01, 81),---,(On, $n) € O x S such 
that: 


0 Vj,1< 9 <n, (0;,8;) © Noy g(a(sj_1)(4;)) with so = 8; 
e i, €l' ando, €O'; 

© Vi1<j<nijeI\T; 

© Vj,1<j<njoj€O\O' 


there exists i’ € I', 3’ € S" such that (0,8') € Noy gi (a’(s’)(41)) and R Sp. 


If R is a simulation (resp. a bisimulation) and s’ R s, then s' is said similar 
(resp. bisimilar ) to s. 


C’ is similar (resp. bisimilar) to C if there exists a simulation (resp. 
bisimulation) R such that init’ R init. 


It is straightforward to see from definitions that when C and C’ are 
over the same signature H, simulation (resp. bisimulation) in Definition 14 
is equivalent to the notion of simulation (resp. bisimulation) given in 
Definition 5. 


Definition 15 (Component abstraction) Let H = T(O x _)! and H' = 
T(O'x_)" be two signatures such that I’ C I and O! C O. Let C = (S, init, a) 
and C! = (S",init’,a’) be two components over H and H', respectively. 
Then, C' is an abstraction of C, notedC ~ C’' if, and only if C' is similar 
(according to Definition 14) to C. 

Abstraction is further complete, noted CC’, when C’ and C are bisimilar 
(according to Definition 14). 


The concepts introduced in Definition 15 are similar to the notions of 
interface refinement (but restricted to inclusions), replaceability and behavior 
refinement in [32]. Indeed, abstraction reflects that the behavior observed 
from C’ are structural restriction of C with respect to the behavioral model 
captured by 7’. More precisely, following the works of Hughes and Jacobs 
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n [22], Meng and Barbosa in [32] abstractly define behavior refinement 
through the notion of simulation based on a refinement preorder. Here this 
refinement preorder C is the binary relation over T(O x 9)! defined by: 


flog = (Vie Lnoxs(f()) S toxs(9))) 


In [32], simulations are restricted to morphisms, called forward mor- 
phisms, and then are defined for components over a same signature H. Hence, 
following the notations given just above, C ~+ C’ if, and only if there exists a 
morphism h : S’ — S such that for every s’ € S’, Th(a‘(s’)) E a(h(s‘)). 


Example 6 (Coffee machine) Figure 6 shows a simple example of 
a coffee machine S, over the signature Pgn(O x a where I = 
{coin, coffee, enough, not_enough} and O = _ {refund, abs, served, verify}. 
Figure 7 shows an abstraction of S, defined by the component Sq over the sig- 
nature Pgn(O! x_)!” where I’ = {coin, coffee} and O' = {refund, abs, served}. 
S, works similarly to Sq except S, behavior is refined by adding a verification 
step. Indeed, when the user asks for a coffee, the coffee machine interface 
does a verification step which consists in checking whether the introduced 
coin is enough or not for buying a coffee. 


enough|served 


coin|abs coffee|verify 
-(s2) . 


not-enough| refund 


Figure 6: Concrete coffee machine 


It is easy to see that Sq is an abstraction of S, which is further complete. 
Indeed, it is sufficient to consider the binary relation R = {(s‘, 51), (85, S2)}. 


An important question we must address concerns consistency of our 
definition of system abstraction: is the behavior of the abstraction of a 
system the abstraction of the behavior of this system? To answer this 
question, we have first to define what is the abstraction of system behaviors. 
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coffee|refund 


coin|abs 


coffee|served 


Figure 7: Abstract coffee machine 


Definition 16 (Transfer function abstraction) Let I, I', O and O' be sets 
of input and output values, respectively, such that I'C I and O! CO. Let 
F: I” + OY and F': I’ + O™ be two transfer functions. F' is an 
abstraction of F if, and only if for every x’ € I, there exists x € I” such 
that: 


e for 7 =0, there exists kg © N such that: 


— x'(0) = x(0) and F(x)(ko) = F'(x')(0); 
—VWL1<1< ko, x(l) €1\ I; 
— Vl,0 <1 < ko, F(2)(1) € O\ O' 


e forj =n, there exists k © N such that: 


a 

— a! (n) = 2(kn-1 +1) and F(a2)(kn) = F'(x')(n); 
~VL2<l<kalkei+DeEI\E; 

SEV 2h FG ual) CO WO! 


Theorem 6 (Consistency of abstraction) The behaviour of the abstraction 
of a system is the abstraction of the behaviour of this system, i.e. when 
C~+C', then for every F' € behe: (init’) there exists F € behe(init) such that 
F' is an abstraction of F. IfC \\C', then we have the reverse correspondence. 


Proof. The proof of this Theorem is straightforward regarding the definition 
of the system abstraction, which is defined as abstracting the behaviour of 
the initial system. 


Now, the question is: what are properties preserved along abstraction 
operator? Formally, if C ~ C’, then for every formula y over H’ such that 
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C' E y, is C —E vy? The problem is y has to be transformed to take into 
account the fact that transitions in C’ may have been expanded into paths 
in C. This then leads to the following result: 


Theorem 7 Let C andC’' be two components over H and H', respectively, 
such that C ~ C'. Then, for every closed formula p over H’ (i.e. y is a 
closed formula defined according to the grammar given in Definition 12), 
and for every s € S and s' € S’ such that s' is similar to s, we have: 


Cy 9 p => (Ve € B,C Fs0 ¥’) 
where @, 1s the set of formule over H defined by structural induction over 


y as follows: 


e if y is true or Z, then O, = {y}; 


eifp =i | oa, then by hypothesis there exists in C a finite path, 


eee! si sh aca’ Sp, such that: 


—~Vj,l<j<nijel\l; 
—Vj,1l<j<n,oj €O\O. 


We then set 


G,={t Lor <i> ig onA...A <i’ ><ig> ... <in-1> in | On} 


e if y is (ily, then @, = {[ilv'|w' € U Ps}- 


BENG x 5 (2(8)(4))\5 


e if y is Va.w|x] with « € V; (resp. x € Vo), then G, = U va /i], 
vel! 
(resp. D, = U w|x/o'],). 


o’EO' 
e ify is ay, pi A v2, VE, then P, ts 
— {-y'|~' € o,} 
— {pA vl} € F745 = 1,2} 
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— {vE.2p' |! € Ws} 


(Let us remark when components are image finite and both I' and O' are 
finite sets, @, can be generated effectively.) 


Proof. The proof is quite simple and is done by structural induction over 
yp. 


The equivalence holds when dealing with complete abstraction. 


This result reflects the fact that all the properties studied at the abstract 
level are preserved at the more concrete one modulo the fact that input 
and output variables have been replaced by values in I’ and O’, respectively. 
Thus, at the more concrete level we can only focus on the properties which 
were not included in the abstract behaviour. For instance, a property of 
the form Vz.[xz]y which has been checked to be valid at the abstract level, 
should be checked at the more concrete level only with values in J \ I’. 


6.2 Abstraction along Integration 


Large systems usually may require many abstraction steps. This leads to the 
notion of sequential composition of abstraction steps. Usually, composition 
of abstraction is mainly divided into two concepts: 


1. horizontal composition that deals with abstraction of subparts of 
complex systems when they are structured into ”blocks”. In our 
framework, blocks are components as defined in Definition 2; 


2. vertical composition that deals with many abstraction steps. 


Horizontal composition. An important result in the systemic approach 
is to preserve abstraction through integration. Hence, given a complex 
operator op with arity n, a sequence of components (Cj,...,C,,) and an ab- 
straction C; ~+ Cj, does op(C1,...,Ci,...-,Cn) ~ op(Ci,...,Cj,..-,Cn) hold? 
This of course has also to be proven for complete abstraction. First, the 
inclusion conditions on input and output sets should be satisfied, i.e. if 
op(Ci,...,Ci,...,Cn) is over H = T(Ox _)! and op(Ci,...,Ci,...,Cn) is over 
H' = T(O' x _)", then the inclusions between input and output values have 
to be preserved, i.e. I’ C I and O' C O. Obviously, this will depend on the 
structure of the complex operator op. Actually, because of feedback, op will 


be also prone to be modified into a complex operator op. Indeed, the reason 
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is because of feedback interface Z. Let H = T(O x _)! and H! = T'(O' x_)" 
be two signatures such that I’ C I and O’ C O. Let Z = (f, 7,70) with 
nm; : I > I and 1, : O > O, be a feedback interface over H. Z has to be able 
to be extended into a feedback interface Z’ = (f!,7/,/,) over T'(O! x _)", 
to deal with inputs and outputs in J’ and O’, respectively. The question is 
how to extend Z into Z’? 

We could set: f’ = f\,,,.,- The problem is, given (7’,0') € I' x O', f(w’,o’) 


does not necessarily belong to I’. When this holds, it is easy to define Ec 
and O, and then z/ and a/: 


e T =7;(I') and 0 =7;(0’); 
em= Ti), and m= Tolor: 


We will then say that a feedback interface Z = (f, 7,7) over H is com- 
patible with a signature H’ = T(O! x _)!" such that I/ C I and O' C O ig: 
V(',o) EI’ x O, fw, o') € I’. In the following, we will always suppose this 
property. 


To preserve abstraction along integration, we need to impose a condition 
on some transitions. Again, this is due to the feedback operator. Indeed, 
let us suppose C ~+ C’ where C = (S,init,a) and C’ = (S',init’,a’). Let us 
suppose (7(C) = (S,init,@) and Oz(C’) = ($", init’, a’) where TZ’ has been 
defined as previously. As C ~> C’, there exists a simulation R C S’ x S. Is 
this simulation preserved after feedback? Actually, without a supplementary 
condition on transitions, the answer is not. Indeed, let s’ R s, and let 
i €T and (o',#) € Thy af (a’(s’)(i’)). By definition of feedback, there exists 
i € TI’ and o € O! such that (0,3’) € Noryg(a’(s’)(f'(é, 0))). By definition of 
simulation, there exists a path in C 


f'(é,o)|o1 —— izlo2 in|o _ 
s ay pe ee 


such that 5’ RS. By definition of feedback, the transition s : |no(or) 81 occurs 
in ©z(C). On the contrary, there is no guarantee that the other transitions 
are preserved in (z(C) except if the following condition holds: 


: a ™ (43) |To(05) ate 
In this case, we ensure that the transition s;-; ’—}°"’ s; exists in 


Oz(C). 
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We will then say that Z preserves the simulation R if for every s’ Rs and 


every transition s’ —“> 3’ in C’ such that i! = 7/(f’(i,0)) and o! = 1/,(o), there 


y pellet 8] ee. 2 ae ate satisfying all the conditions of 


Definition 14 and the supplementary condition: 


exists a path s 


In the following, we will assume that, given C ~ C’ and a feedback 
interface Z such that Oz (C) is defined, there always exists a simulation R 
preserved by Z. 


Theorem 8 (Horizontal composition) Let op(C1,...,Ci,...,Cn) be a system. 
Let Cj; -~> Ci (resp. C; Ci). Then, 


OD (Cis Sci le ee KCK OF OD Cia ke Ce) 


(resp. op(Ci,...,Ci,..-;Cn) ™ Op(C1,...,C;,...,Cn)) where op is defined by 


structural induction on the complex operator op as follows: 
e if op=_, then 0p =_; 


e if op = op, © ope, then by definition op, and op, are respectively of 
arity ny <n and ng <n. Let us suppose that i <n, (the case where 
ny <i<n is handled similarly). Then, op = 0p, ® ope; 


e if op =Oz(op’), then op =Oz (op) where T' = (f', a, : I! 3 T to: 
O! +0) is defined by: 


> f' = Tras 
~T =7;,(I') andO =7;(O’); 


oo —_ 
— 1 = TM, and 1 = Tol, 


Proof. This is proven by structural induction on the complex operator op. 
The basic case is obvious. The induction step is composed of two cases: 


1. op is of the form op, ®op2. By definition, op; and op are respectively of 
arity ny <nand nz <n. Let us suppose that 7 < n,. By induction hy- 
pothesis we have op;(C1,...,Cji,..-;Cn,) ~* Op; (C1,...,C%,.--; Cn,) 


(resp. op1(C},...,Ci,..-,Cn,) ™ Op (C1,...,Cl,...,Cn,)). This means 
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by definition there exists a simulation (resp. a bisimulation) R, be- 
tween 0p,(C1,...,C%,...,Cn,) and opi(Ci,...,Ci,...,Cn,). Let us 
set R= Rx Ids, where 5S is the set of states of op2(Cn,+41,---,;Cn). 
It is obvious to show that Cartesian product is stable for simulation 


and bisimulation (according to Definition 14). 


. op is of the form ©z(op’). By induction hypothesis, we have 


OP (Open 7 cei, Op (C inate ol On) 


(resp:  -Op(Ciy.0xy Cpvicy Cn). OP (Clysacy ChyaisGGp,)).. This 
means by definition there exists a simulation (resp. a bisim- 
ulation) R preserved by Z between op'(Ci,...,C%,...,Cn,) and 
op’ (C\,...,Ci,...,Cn,). Then let us show that R remains a simulation 
(resp. a bisimulation) between ©z’(0p’)(C),...,C!,...,C,) and Oz 
(op’)(C1,...,Ci,...,Cn). Let us assume that op’(C,...,Ci,...,Cn,) 
and. op (C1,<1.5CL..19Cn,) areé-over H’= T(O' -)) and oH’ = 
Ox DED = FeO: Sas DP Shas tO SS 
O), and thn 7 = (ff : xO 3 Iw: I a Tn, 

O' -+ 0’). Moreover, let us assume that op!(C},...,Cj,.--,Cn.) = 
(S,init,a) and op'(C1,...,Ci,...,Cn,) = (S’,init’,a’). By def- 
inition, Oz (op’)(Ci,...,Ci,...;Cn) = (S',init’,a’) and Oz 
(op')(Cy,...,Ci,...;Cn) = (S, init, @) where a and @ are defined fol- 
lowing Definition 9. Let us suppose s’ € $’ and s € S such that s’ R s. 
Let i’ € I’ and let (0',3’) € 15 gi (a’(s’)(i’)). By definition of feedback, 
there exists i € I’ and o € O' such that (0,3’) € Noy g(a’(s’)(F/(4, 0))) 
,wi(i) = 7 and 7(0) = o’. By definition of simulation, there exists an 


execution in op’(C1,...,C%,...,Cn) of the form: 


with s’ Rs. By the condition that R is preserved by Z, we have in 
Oz(op’)(C1,...,Ci,..., Cn) the execution: 


oI 9 Mego) mini 
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Vertical composition. Vertical composition is just a consequence of the 
following simple result. 


Theorem 9 Both ~ and ™ are transitive, i.e. ~»-~~Cr.» and ™- MICK, 


Proof. Both ~ and ™ are defined w.r.t. revisited similarity and bisimilarity 
which it is not difficult to show they are transitive relations. 


Horizontal and vertical composition can be easily composed to obtain a 
bidimensional compositionality. 


7 Conclusion 


This paper introduced a logic defined as a variant of first-order fixed-point 
modal logic to express component and system requirements and an abstrac- 
tion operator to build systems and check their correctness incrementally. 
For this logic, we proposed conditions to preserve properties expressed in 
this logic along integration and abstraction, and then showed a means to 
establish correct-by-construction proofs. The interest of our results is they 
are completely independent of integration operators. Furthermore, they 
have been shown to a large family of properties containing at least all the 
common properties that can be expressed on state-based components such 
as deadlock free, reachability, etc. 

Both logic and associated results that have been presented here are 
devoted to discrete/computing complex systems. We are currently working to 
extend this work to heterogeneous complex systems (i.e. where components 
can be defined over discrete or continuous time scales). To do so, first we 
propose to introduce the notion of monad to components in [2] to take 
into account different computation situations, and then to study the results 
of properties preservation for the logic defined in [3]. Thus, the defined 
formalism would be allowed to be used as a formal semantics for the system 
modelling language SysML. 


When we want to conduct correctness proofs and check their feasibility, 
the definition of a complete proof system still needs to be explored. Moreover, 
following the works in [10], we propose to study computational aspects of 
our formalism such as synthesis of components to transform requirements 
into components that satisfy them and the definition of model-checking 
algorithms. Of course, as already said in the introduction, the logic will be 
allowed to be restricted to the propositional case. Within the formalism 
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in [2, 3], particular attention should be given to time scale mainly when 
dealing with continuous times. Indeed, although continuous time scales 
in [2, 3] are discretely defined and then (non-standard) induction works, 
their cardinality is not denumerable which is not to allow their computability. 
In a series of papers, Y. Sergueyev has recently defined a positional numeral 
system that may allow us to carry out effective computation with infinitesimal 
and infinitely large numbers [39, 40]. We then propose to study how to 
introduce the ideas developed in [39, 40] within the formalism developed 
in [2, 3], with defining algorithms issues in mind both for the synthesis and 
properties satisfaction in the presence of complex heterogeneous (discrete 
and continuous) systems. 
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